0

I have a Google App Engine PHP website. I have a register system, so the user logs in and it is saved to a database.

I want to be able to make it so that the user can only access via 2 devices. So if they try to login using a 3rd device then they won't be allowed. So for example the users device (IP address or MAC address or something) is saved and if the user tries to login using a device that isn't saved or doesn't match the saved devices credentials then why are denied access.

So to make it clearer a user (with the username i001) has a mobile phone and a laptop. So the user can log in to the website when they are using their mobile phone and laptop but no other device.

Is there any way to make this possible?

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
David
  • 3
  • 1
  • 4
  • Possibly store the session information in the database? That may not be completely fool-proof though. – Maximus2012 Mar 31 '15 at 14:37
  • That may work. How would I store the device information from the session? – David Mar 31 '15 at 14:47
  • I believe you can use the $_SERVER and $_SESSION superglobal arrays to get unique combinations of user/device information. $_SERVER will give you browser and IP address of the client: http://php.net/manual/en/reserved.variables.server.php. I don't think you can get the MAC address and don't think you even need that. – Maximus2012 Mar 31 '15 at 14:50
  • Hmm..Do you know the PHP Server code to get the details such as IP? – David Mar 31 '15 at 15:26
  • $_SERVER['REMOTE_ADDR']. Look at the answer with 172 votes: http://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php – Maximus2012 Mar 31 '15 at 15:28

1 Answers1

1

I've had a simliar problem and dealt with it in the following way in Symfony 2:

Every user has a max amount of logins for the same time, for your case we take 2. Also I have a field with indenticated how many logins are free right now.

So we have the following database:

maxLogins|loginsFree
2        |2

With every login, the UserID, the id of the session and the datetime of the login will be saved to the database. Within the login process the loginsFree column will be reduced.

So we have the following:

//After Login
maxLogins|loginsFree
2        |1

The logic is simple to limit the access within the login

if($freeLogins == 0){
    //give out an message or something
} else {
    //do your login
}

If the user logs out of your system, loginsFree will increase by 1.

//After Logout
maxLogins|loginsFree
2        |2

IMPORTANT

You must not increase the loginsFree value over the maxLogins value, else the user could login more often then 2 times at the same time.

Also, because I solved this problem with the session, I needed an process that would invalid sessions after a certain time of inactivity. Those sessions that got invalidated must also increase the loginsFree value since they took away a login.

KhorneHoly
  • 4,666
  • 6
  • 43
  • 75
  • Thank you for your detailed explanation. That makes sense. How many fields did your database have? like what did your database table look like? – David Mar 31 '15 at 15:25
  • @David my Database saved the sessionID, the userID and the time of last activity that will be renewed by every activity the user does on this session. If the Datetime of last activity is older then a given time the session will be invalidated – KhorneHoly Apr 01 '15 at 06:49